OpenMM Grid Trading
v0.1.0Create and manage grid trading strategies with OpenMM. Automated buy/sell around center price.
⭐ 0· 867·6 current·7 all-time
byAngelos Kappos@adacapo21
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims to run OpenMM grid trading (which legitimately needs an 'openmm' binary and an API key for the exchange you choose). However the metadata requires four different exchange API keys (MEXC, GATEIO, BITGET, KRAKEN) even though a user will typically only trade on a single exchange per run. Requiring all exchange keys up-front is disproportionate and unexplained.
Instruction Scope
The SKILL.md itself only instructs the agent to run the 'openmm' CLI with flags and to load optional local JSON profile files; it does not ask the agent to read arbitrary system files or exfiltrate data. However the runtime metadata declares environment variables (multiple API keys) that the docs do not clearly justify or scope to 'only provide the key for the exchange you will use'. This gap between instructions and declared requirements is noteworthy.
Install Mechanism
Install is via an npm package (@3rd-eye-labs/openmm) which will create the 'openmm' binary. Using npm is a common mechanism but carries moderate risk because packages are third-party code. No direct downloads from untrusted URLs or archive extraction are declared, but the package source/maintainer is unknown and should be audited before install.
Credentials
Listing four exchange API keys as required is excessive for a tool that only needs the key for the exchange you choose at runtime. These API keys are sensitive (can enable trading and possibly withdrawals). The skill does not declare a primary credential nor document minimal required permissions (e.g., disable withdrawals), so the requested secrets are not proportional or adequately justified.
Persistence & Privilege
The skill does not request always: true, does not declare system config paths, and does not appear to demand persistent system-level privileges. It appears to be limited to installing/using its own 'openmm' binary.
Scan Findings in Context
[no_findings] expected: The scanner found nothing because this is an instruction-only skill with no code files. That is expected, but it means there is no local code to review — you must instead inspect the npm package before trusting it.
What to consider before installing
Before installing or providing credentials: (1) Only supply API keys for the exchange(s) you actually intend to use — do not populate all four keys unless you need them. (2) Create API keys with minimal permissions (enable trading, disable withdrawals) and, where available, restrict by IP. (3) Audit the npm package @3rd-eye-labs/openmm before installation: check its repository, publisher, package.json, and published code for unexpected behavior. (4) Run the tool in a sandboxed environment (container or VM) and test with --dry-run first. (5) If you cannot inspect the package or verify the publisher, treat the package as higher-risk and avoid giving long-lived credentials. Additional information that would raise confidence: the package's source repository, a verified publisher, or explicit docs saying only the key for the selected exchange is required and what permissions are needed.Like a lobster shell, security has layers — review code before you run it.
gridvk97akmx8fj0ejsza7yr25ypv3181vbcnlatestvk97akmx8fj0ejsza7yr25ypv3181vbcnmarketmakingvk97akmx8fj0ejsza7yr25ypv3181vbcnopenmmvk97akmx8fj0ejsza7yr25ypv3181vbcntradingvk97akmx8fj0ejsza7yr25ypv3181vbcn
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
📊 Clawdis
Binsopenmm
EnvMEXC_API_KEY, GATEIO_API_KEY, BITGET_API_KEY, KRAKEN_API_KEY
Install
Node
Bins: openmm
npm i -g @3rd-eye-labs/openmm